So you've decided that you want a Cisco ASA5510 firewall or two. Unfortunately it'll cost you dearly, assuming you can even find one. It seems that Cisco is having some significant production problems with the ASA line, and as a result, ASAs are suddenly as rare as hen's teeth. This is bad news for just about everyone -- except Cisco's competitors.

In the past few weeks, I've had several folks ask me for alternative recommendations for ASA firewalls because they simply cannot source any. I've been sending them to Juniper and the SSG series or even to open source alternatives like pfSense. These folks are from committed Cisco-only shops, too, but they simply can't wait several months for new gear.

As with any supply issue, the dearth of Cisco ASAs has caused a run on graymarket hardware, with used ASAs selling for more than the list price on new ones, and new units fetching $2,000 premiums over list. Cisco resellers have back orders numbering in the thousands with no end in sight. Even vendors that have loaner pools say that the waiting lists for those units is equally astronomical.

Assuming Cisco's woes continue, all of those customers will have to head elsewhere for their firewalls and VPN appliances. Some are opting for graymarket PIXes to get them through, some are heading to Juniper, some to Fortinet, and some are looking to open source, like the aforementioned pfSense. Heck, for $700 you can get a 1U pfSense appliance from Hacom with a VPN accelerator that offers 45Mbps AES VPN performance and can handle a wide variety of other tasks. You can even cluster those for redundancy.

But the real problem for Cisco isn't that there are alternatives out there -- it's that suddenly their pure Cisco customers have to take off the blinders and explore other options. These customers are being forced to break the Cisco seal and allow other vendors in the door. Once that's done, there's much less inertia to keep them automatically heading back to the Cisco well.

This is particularly bad timing for Cisco. IT spending is up, the economy appears to be heading in the right direction, and IT shops across the globe are restarting stalled projects or starting new ones and need the gear as soon as possible. Most notably, ASAs are Cisco's firewall product, and Internet circuits are costly and generally take months to provision and install. Thus, many companies are awaiting circuit installations with simply no hardware available to handle them. They're definitely not in any position to hold out for Cisco's production blunders to be resolved.

There's even more consternation in larger companies, where Cisco ASAs might be the only option due to stringent equipment validation procedures and policies. If an ASA is the only firewall that policies allow to be installed on the network, then those policies are suddenly going to have to change. If prior testing and validation are required for those policy changes, then plenty of IT admins will be spending quality time with other vendors' gear during that process, not to mention once they're in the field.

It's even more galling that Cisco has stated it is refusing to release a 64-bit version of its standard VPN client in order to force customers to the company's AnyConnect client that requires a Cisco ASA. If you're running Cisco VPN concentrators and facing a raft of users running 64-bit Windows that need VPN access, you're out of luck -- unless you use a non-Cisco client.

Apparently, it's not just firewalls. Customers are reporting huge delays and no promises of delivery dates on Cisco 2960 switches, too. Talk about hindering progress.

If other vendors products are even remotely up to snuff and come in cheaper than the Cisco gear, then they may be able to make significant inroads into places where they've never even had a foothold before -- and all because Cisco dropped the ball.